bartek/esa-tool
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

10: Add WebViewPlugin

Browse Source
This commit is contained in:
Bartłomiej Pluta
2019-04-17 08:53:54 +02:00
parent 6ecdafac87
commit 716a6bc92c
3 changed files with 75 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/main/java/com/bartek/esa/core/di/PluginModule.java
View File

@@ -137,4 +137,10 @@ public class PluginModule {
public Plugin orderedAndStickyBroadcastPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
return new OrderedBroadcastPlugin(globMatcher, xmlHelper);
}
@Provides
@IntoSet
public Plugin webViewPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
return new WebViewPlugin(globMatcher, xmlHelper);
}
}

51
src/main/java/com/bartek/esa/core/plugin/WebViewPlugin.java Normal file
View File

@@ -0,0 +1,51 @@
package com.bartek.esa.core.plugin;
import com.bartek.esa.core.archetype.JavaPlugin;
import com.bartek.esa.core.model.enumeration.Severity;
import com.bartek.esa.core.xml.XmlHelper;
import com.bartek.esa.file.matcher.GlobMatcher;
import com.github.javaparser.ast.CompilationUnit;
import com.github.javaparser.ast.expr.Expression;
import com.github.javaparser.ast.expr.MethodCallExpr;
import javax.inject.Inject;
public class WebViewPlugin extends JavaPlugin {
private static final String SETTINGS_METHODS = "addJavascriptInterface|setJavaScriptEnabled|setWebContentsDebuggingEnabled|setAllowFileAccess|setDomStorageEnabled";
@Inject
public WebViewPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
super(globMatcher, xmlHelper);
}
@Override
public void run(CompilationUnit compilationUnit) {
compilationUnit.findAll(MethodCallExpr.class).stream()
.filter(expr -> expr.getName().getIdentifier().matches(SETTINGS_METHODS))
.forEach(this::issueMethod);
}
private void issueMethod(MethodCallExpr methodCall) {
switch (methodCall.getName().getIdentifier()) {
case "addJavascriptInterface":
addIssue(Severity.VULNERABILITY, ".JS_INTERFACE", getLineNumberFromExpression(methodCall), methodCall.toString());
break;
case "setJavaScriptEnabled":
issueSettingsMethod(methodCall, ".JS_ENABLED");
break;
case "setWebContentsDebuggingEnabled":
issueSettingsMethod(methodCall, ".DEBUGGING_ENABLED");
break;
case "setAllowFileAccess":
issueSettingsMethod(methodCall, ".ALLOW_FILE_ACCESS");
break;
}
}
private void issueSettingsMethod(MethodCallExpr methodCall, String descriptionCode) {
Expression firstArg = methodCall.getArguments().get(0);
if (firstArg.isBooleanLiteralExpr() && firstArg.asBooleanLiteralExpr().getValue()) {
addIssue(Severity.INFO, descriptionCode, getLineNumberFromExpression(methodCall), methodCall.toString());
}
}
}

17
src/main/resources/description.properties
View File

@@ -119,3 +119,20 @@ com.bartek.esa.core.plugin.WorldAccessPermissionsPlugin=World access permissions
com.bartek.esa.core.plugin.OrderedBroadcastPlugin=Sending ordered broadcast. Potential broadcast theft.\n\
Malicious applications can intercept ordered broadcasts, stop their propagation and resend with malicious data.
com.bartek.esa.core.plugin.WebViewPlugin.JS_INTERFACE=WebView with JavaScript interface. Potential malicious code injection.\n\
The WebView uses 'addJavascriptInterface' method which exposes public methods to JavaScript code. Loading JavaScript code \n\
from untrusted sources is a major security violation and should never be used.
com.bartek.esa.core.plugin.WebViewPlugin.JS_ENABLED=JavaScript enabled in WebView.\n\
The WebView has enabled JavaScript code execution. This can effect in XSS attack.\n\
Consider disabling JavaScript in WebView.
com.bartek.esa.core.plugin.WebViewPlugin.DEBUGGING_ENABLED=JavaScript debugging enabled in WebView.\n\
The WebView has enabled JavaScript code debugging. This can effect in data leakage from WebView component.\n\
Consider disabling JavaScript debugging in WebView.
com.bartek.esa.core.plugin.WebViewPlugin.ALLOW_FILE_ACCESS=Access to file system from WebView.\n\
The WebView has granted access to private files. Loading content from untrusted source may effect with \n\
accessing private files by malicious site/application.\n\
Consider disabling this option.